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To analyze complex and heterogeneous real-time embedded systems, recent works have proposed 
interface techniques between real-time calculus (RTC) and timed automata (TA), in order to take 
advantage of the strengths of each technique for analyzing various components. But the time to 
analyze a state-based component modeled by TA may be prohibitively high, due to the state space 
explosion problem. In this paper, we propose a framework of granularity -based interfacing to speed 
up the analysis of a TA modeled component. First, we abstract fine models to work with event streams 
at coarse granularity. We perform analysis of the component at multiple coarse granularities and then 
based on RTC theory, we derive lower and upper bounds on arrival patterns of the fine output streams 
using the causality closure algorithm of (2). Our framework can help to achieve tradeoffs between 
precision and analysis time. 

1 Introduction 

Modern real-time embedded systems are increasingly complex and heterogeneous. They may be com- 
posed of various subsystems, and it is a general practice that some of the subsystems may be power- 
managed 0, in order to reduce energy consumption and to extend the system life time. Such a sub- 
system may have multiple running modes. A mode with lower power consumption also implies lower 
performance levels. Due to real-time requirements, it is thus critical to analyze the system timing per- 
formance, but the complexity of this analysis is challenging, especially when it is scaled to large and 
heterogeneous systems. 

Compositional analysis techniques have been presented as a way of tackling the complexity of ac- 
curate performance evaluation of large real-time embedded systems. Examples include SymTA/S (Sym- 
bolic Timing Analysis for Systems) |9| and modular performance analysis with real-time calculus (RTC) 
0. Various models have also been proposed to specify and analyze heterogeneous components JT4l . 
Each analysis techniques have their own particular strengths and weaknesses. For example, SymTA/S 
or RTC based analysis can provide hard lower/upper bounds for the best-/worst-case performance of a 
system, and has the advantage of short analysis time. But typically, they are not able to model complex 
interactions and state-dependent behavior and can only give very pessimistic results for such systems. 
On the other hand, state-based techniques, e.g. timed automata (TA) (3), construct a model that is more 
accurate, and can determine exact best-/worst-case results. But they face the state explosion problem, 
leading to prohibitively high analysis time and memory usage even for a system with reasonable size. 

Efforts have been paid to couple different approaches C5l[T0l[T7l[Tl, e.g. to combine the functional 
RTC -based analysis with state-based models. The most general ones are based on interfacing RTC 
with another existing formalism: in |[T6l . an interfacing technique is proposed to compose RTC -based 
techniques with state-based analysis methods using event count automata (H. A tool called CATS (6) 
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is just at the beginning of its development. It allows modeling a component using TA within a system 
described by RTC. A variant of the approach is described in [llj, which restricts to convex and concave 
curves, but potentially uses less clock and may therefore scale better. 

In this paper, we follow the line of recent development in interfacing between RTC and state-based 
models done in CATS, and focus on speeding up the analysis for a power-managed component (PMC) 
modeled by TA. We adapt the framework to analyze event streams at different granularities. This im- 
plies the ability to design the component to be analyzed at coarser granularities: the translation of the 
component from one granularity to another has to be made automatic. To do so, we focus on a class of 
timed automata of interest that we call M-TA, on which the translation is possible. M-TA model power- 
managed components, characterized with different modes of computation. We then define a schema of 
translation at coarser granularity. The schema is formally proven and the whole approach is validated 
with experimentation: we show that our abstracted model scales far better than the fine-granularity one, 
with a reasonable loss of precision. 

Organization of the paper: in the next section[2j we detail the implementation of the existing interfacing 
techniques between RTC and TA. In section [3] we give an overview of the framework for granularity- 
based interfacing and section [4] formally details the granularity change. In section [5| we discuss our 
targeted PMC, and its fine and coarse TA models; and in section [6] we present some experimental valida- 
tions. Finally, we make a conclusion and present future work in section|7J 

2 Interfacing Timed Automata and Real-Time Calculus 

Real-Time Calculus (RTC). The Real-Time Calculus (RTC) lITSl is a framework to model and analyze 
heterogeneous system in a compositional manner. It relies on the modeling of timing properties of event 
streams and available resources with curves called arrival curves and service curves. A component 
can be described with curves for its input stream and available resources and some other curves for the 
outputs. For already-modeled components, RTC gives exact bounds on the output stream of a component 
as a function of its input stream. This result can then be used as input for the next component. 

An arrival curve is an abstraction to represent the set of event streams that can be input to (resp. 
output from) a component; it is expressed as a pair of curves t; = (£, L ^ U ). For k > 0, £, L (k) and % u (k) 
respectively provide for any potential stream the lower and upper bounds on the length of the time interval 
during which any k consecutive events can arrive. Let t\ denote the arrival time of the f-th event; t\ may 
be real (we use continuous time) but the number of events that occurs at t{ is discrete (it is represented by 
a natural number); we have £, L (k) < t^ — 1\ <£, u (k) for all i > and k > 0. 

Similarly, the processing capacity of a component is specified by a service curve \j/ = (i// L , y u ). The 
length of the time to process any k consecutive events for any potential stream is at least y/ L (k) and at 
most y/ u (k). 

Notice that, in the RTC theory, an arrival curve a = (a L ,a u ) (resp. service curve j8) is usually 
expressed in terms of numbers of events per time interval. In this paper, we express the arrival curves (£) 
and service curves (iff) in terms of length of time interval, in order to explain better our work. Actually, t; 
is a pseudo-inverse of a, satisfying £ u (k) = minA>o{A|a L (A) > k} and % L (k) = maxA>o{A|a^(A) < k} 
(same for j8 and \jf). 

Timed Automata (TA). A timed automaton El is a finite-state machine extended with clocks. A clock 
measures the time elapsed since its last reset and all clocks increase at the same rate. Figure [3jb) shows 
an example. States are labelled by invariants and transitions by guards and clock resets (e.g. t ^— 0). 
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Invariants and guards are conjunctions of lower and upper bounds on clocks and differences between 
clocks. The automaton can only let time elapse in a state whenever the invariant evaluates to true. A 
transition may be triggered when the guard evaluates to true and some clocks are reset. Timed automata 
may be synchronized via binary rendez-vous: for example, the self-loop transition around Counting 
sends the signal produce? This means that the transition cannot be fired unless the automaton receives 
at the same instant the signal produce! from another one. Furthermore, we use UPPAAL TA syntax and 
extensions JU, such as integer counters (e.g. cost). 



Interfacing TA and RTC 

In the following, we show the techniques from CATS |[6) for interfacing TA and RTC. The motivation 
comes from the fact that some components may not be accurately modeled with RTC tools. The idea is 
then to use TA for the component model, but to be nevertheless able to consider arrival and service curves 
to characterize inputs and outputs of the system. This implies the use of adapters, as shown in Figure [T] 
connecting RTC curves (which describe a set of event streams) and the TA (which inputs or outputs a 
single event stream). From RTC curves to TA, we use a generator that inputs events into the component 
such that the event stream satisfies the input curve | . From TA to RTC, the component outputs events 
that feed an observer which measures the smallest and largest time interval between events, to compute 
the output curve |. Both generators and observers are timed automata; they are composed with the 
timed automaton component and the tool UPPAAL CORA [4j is used to verify the whole. Notice that 
this framework is convenient whatever be the computational model used for the component (see e.g. 
ac21us O). 



input arrival curve | — ►f Generator J— ► Component (TA) — ^Observer j-+ output arrival curve | 



Figure 1 : Interfacing RTC and TA 

In all this work, RTC curves are assumed to be given by a finite set of N points, namely, (p L ,p u ) are 
defined by the points (p L (i),p u '(/)), for i e [1 : N]. 



Generator. The goal for the generator is, given an input arrival (resp. service) curve, to be able to 
generate any event stream that satisfies this curve, and only these ones. Figure [2] shows the TA model 
Generator(p L ,p u , signal) which non deterministically generates a sequence of signals called signal! 
that satisfies (p L ,p u ). 

The main idea is to reset a clock whenever an event is emitted. As we need to check any N successive 
events, we need to memorize only N clocks, that we declare in a circular clock array y of size N. y[k%N] 
represents the time elapsed since the event k has occurred. We note X the index of the next event to be 
generated: then we have to check that the N events before X comply with the curve. The index of those 
events is given by the function getldx{i) — >> (A — i + N)%N (1 < i < N). Note that at the beginning, 
less than N events have been emitted: we introduce a bounded counter 0, from to N that represents the 
actual number of events to be considered. The constraints that satisfy the curves are then expressed as: 

{CheckJJ pper) y[getldx(i)] < p u {i)yi £[1:0] 
(Check_Lower) y[getldx(i)) > p L (i),Vi E [1 : 6} 

{Check JU pper) expresses an invariant on how much time can elapse (i.e. when an event must be gener- 
ated), whereas (Check_Lower) qualifies the date from which a new event may be emitted, checked before 
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emitting a new signal. 



Check_Lower, signal!, y[A] — ^ 0, 
A -> (A + 1)%N, e^e< NW + 1 : N 




CheckJJ pper 



Figure 2: Generator(p L ,p u , signal): model of a generator from RTC to TA. 



Observer. To compute the output curve (p L ,p u ), we use a model checking tool with cost optimal 
reachability analysis J4). An observer is used to capture the arrival patterns of an event stream: Fig- 
ure|3ja) computes lower and upper bound for a stream of produce! events and for a window of K events, 
namely (p L (K) , p u (K)) . 

The observer non-deterministically transits from the initial state Idle to Counting: this decides the 
beginning of the window to be observed. The counter T] records the number of produce! since the entry 
in Counting. When reaching the state Stop, K produce! events have been emitted. 

The cost for an execution corresponds to the time spent in the Counting state (no cost on transition, 
cost rate of 1 for Counting - marked as a grey state in the figure, cost rate of for the other states). 
Therefore, the cost when reaching the state Stop is equal to the time for emitting K events. With a 
verification engine able to compute the minimum and maximum cost for reaching Stop, this provides 
p L (K), since the K consecutive events were chosen non-deterministically. The computation has to be 
launched N times (for K = 1 to N) to obtain all the points of the curves. 

Since the tool we use can not compute a maximum, we use a variant model of the observer shown in 
Figure [5] (b) for computing the maximum and obtaining p u (K). The principle of the timed automata is 
the same as the former but it measures the number of events (counter cost) that can be emitted during an 
interval of length A (clock t). When minimizing the cost, this provides oc u (A). Then, p u is computed as 
the pseudo-inverse of a u . 



produce? 77 + + produce? cost+ = 1 




Idle Counting Stop Idle Counting Stop 

(a) Observer(K, produce) (b) 

Figure 3: (a) Model of the observer and (b) its varied model. 



How to obtain output arrival curves? We show here how to instantiate the timed automata described 
above to compute an output arrival curve | given the input arrival curve | , the input service curve \jr 
and a component modeled as a timed automaton. The input event stream is labeled by signals req and is 
given by Generator^ 1 , req). The input service stream is labelled by signals serv and is generated by 
Generator{\\f L y/ u , serv). We assume that the component inputs req and serv signals and emits produce 
signals. The output event stream is then analyzed by Observer(K, produce). Those four automata are 
synchronized and a verification engine is used, to obtain all the points (| L (AT), % U (K)), for K = 1 to N. 
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Note that the whole model involves two clock arrays of size N (length of the curve); it also involves 
two Af-counters per generator plus one Af-counter for the observer. The size of the model, hence, heavily 
depends on the number of events to be considered. 

3 The Granularity-based Interfacing Framework 

Motivations. When model-checking non-trivial systems of TA, one quickly faces the well-known 
state-explosion problem. Generally speaking, this mainly comes from two sources: clocks and coun- 
ters. Counters are handled as discrete states in the proof engine and clocks involve the dimensions of 
the polyhedra (zones) to be computed. As stated above, the CATS approach proposes to model-check 
(with cost optimization) a model where the numbers of clocks and the order of magnitude of counters 
are heavily linked with the number of events to be considered and so is the cost to compute the results. 
Applied to non-trivial components the approach may thus fail to provide any result. 

By grouping the events, and refraining from looking at them individually, we can reduce the amount 
of events analysis and thus both the size of counters and the number of clocks: we can hence get dramatic 
improvements on the performance. We talk about fine events to designate the real events of the system 
and we group them into coarse events which intuitively represent a packet of g fine events, where g is 
called the granularity of the abstraction. Modeling the system to work with coarse events instead of fine 
events divides the length of the arrival curve t, and the number of events N to store in buffers by g. By 
changing the value of g, one can trade performance for accuracy. 

Framework. We propose a formal framework of granularity-based interfacing between RTC and TA 
performance models. The generators for service and arrival curves, the component model and the ob- 
server for the output arrival curve deal all with coarse events, which speeds up the analysis. 

As we change the granularity, all TA models involved in the framework have to be adapted to deal 
with the coarse events. For the generators and the observers, this is quite straightforward, but abstracting 
an arbitrary TA component to a coarse-granularity one would be hard, if at all possible. We focus on a 
particular class of timed automata that we call M-TA (for "Mode-based Timed- Automata") for which we 
propose an automatic translation scheme from fine event M-TA to coarse event M-TA. For simplicity of 
the notations, we define the class of M-TA with an abstract syntax, the semantics of an M-TA being given 
by the corresponding TA. This is illustrated by (a) and (b) in Figure |4j The correctness of the approach 
relies on the fact that the coarse-grain translation of an M-TA is an accurate abstraction, in the sense that 
the lower and upper coarse output curves, analyzed from the coarse model, always provide lower and 
upper bounds on the lower and upper fine curves, which would be obtained from the original fine model. 
This is proved once and for all for the translation scheme. 

When analyzing a coarse model, we get a pair of coarse output arrival curves that already provides 
lower and upper bounds on the arrival patterns of the output stream at fine granularity, by applying a sim- 
ple rescaling. But it is possible to derive tighter fine output curve, running the analysis at different gran- 
ularity levels g\...g m . The resulting coarse output curves | gl ...| gm are then combined (see Figure kl(c)) 
using the causality closure [2j property of RTC curves. This results in a tighter output arrival curve (|) 
at the fine granularity which is tighter than the naive combination of the curves but still equivalent to it. 

To the best of our knowledge, no existing work deal with a granularity-based scheme with formal 
validation on the abstraction. The proposed framework complements the recent works on interfacing 
between RTC and TA models. 
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Figure 4: The framework of granularity-based interfacing. 

4 Changing the Granularity 

Definitions and Notations. We denote a specific stream at the fine granularity as t = (*o)V2--- an d a 
specific coarse stream to be T = (Tb)?!^.... U (resp. 7]) denotes the arrival time of the i-th fine (resp. 
coarse) event £; (resp. ^) for i > 1. = ?b = denotes the origin of time. T and t denote the input, 
while T and f denotes the output stream. 

As illustrated in Figure [5j we can abstract a fine stream to a coarse one at some granularity g, by 
regarding g consecutive fine events as a coarse one. A fine stream t is a refinement of a coarse one T 
if Ti is equal to t g i for / > 0, i.e. if it is sampling the fine stream every g events. A coarse stream T at 
granularity g is an abstraction of a fine stream if t g i = Ti for i > 0, the other tk being chosen arbitrarily, 
with tk+i >tk- It is easy to see that a coarse stream T can be refined to a fine stream t if and only if t 
can be abstracted to T. 



fine event 



ii 



coarse- events 

" T T 



fine stream (f ) *i *2 *3 U h h 
coarse stream (To) T\ T2 



ti h 



tg t\o 

T 3 



-> t 



Figure 5: Illustration of a fine and coarse stream with g = 3. 



How to obtain coarse output arrival curves? We now show how to use the interfacing between RTC 
and TA (Section [2]) to compute output arrival curves at coarser granularity. The input arrival (resp. 
service) curve | (resp. \jf) is given for fine events. To obtain the input arrival (resp. service) curve 
for coarse events at granularity g, t; g (resp. \j/ g ), we use a sampler. From t; it produces t; g such that 
% g (k) = I (gk) for k > (the definition of \j/ g is exactly the same). Indeed, it is easy to see that the arrival 
(resp. service) pattern for the coarse input streams are lower and upper bounded by | (gk) (resp. ys(gk)) 
for all k > 0. Notice that this abstraction from fine input streams t to coarse ones T at granularity g 
implies to lose information about every fine events but the ones at gi, 

To compute a coarse output arrival curve % g , we then proceed as before: a generator is used for 
both the arrival curve % g and the service curve \jf g ; and observers are used to compute the result us- 
ing model-checking with cost optimality. Nevertheless, between them, the component still has to be 
adapted. Indeed, it was designed to proceed on fine events and needs to be abstracted to work on coarse 
input streams. In the sequel, we note ^0 the fine component and &c its coarse abstraction. This trans- 
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formation from to &c may be hard, if possible and we define a particular class of interest, called 
M-TA, for which we provide an automatic transformation scheme. This is the topic of the following sec- 
tion. Notice that such an abstraction introduces non-determinism in the coarse component. For example, 
when the triggering condition of a transition depends on a number of events, the coarse grain component 
cannot know exactly the time at which the transition is triggered. 

Validation. To validate the proposed framework, one has to guarantee that the coarse models provide 
accurate abstraction of the fine models. The proof can be made on every parts of the model but the 
component, since the TA are given. For the component, we exhibit a proof obligation that has to be 
guaranteed to validate the whole framework. This proof obligation states that the coarse component 2?c 
should exhibit at least all the behaviors that the fine component can produce. Formally, it should 
satisfy the following property. 

Definition 1 Let % — (fo)fi?2--- — (h)hh---) be any fine event stream that is an input to (the corre- 
sponding output stream produced from) We say that is a correct abstraction of iff(def) there 
always exists some coarse event stream T ( T) that can be an input to ( the corresponding output stream 
produced from) £?c> such that T (T) can be refined to % (%). 

Proof Obligation 1 Prove that 2?c is a correct abstraction of 

We will show later that the TA generated by our translation verify this proof obligation. Any other 
way to generate coarse TA that satisfy it could be used in the framework. 

The correctness of the abstraction implies that we can derive a valid coarse output curve | g , by 
analyzing 

Lemma 1 If Proof Obligation^is satisfied, it is guaranteed that the analyzed £,g(k) and £,^(k) provide 
lower and upper bounds on £, L (gk) and £, u (gk) respectively for k>0. 

Sketch of proof: it follows from Proof Obligation [I] that, for any fine output stream f from £?o, there 
always exists a coarse output stream T such that T can be refined to f. It follows that the production 
time of the (g x k)-th fine event in f is equal to that of the k-th coarse event in T. It is then easy to show 
that < l L {gk) and %(k) > l u {gk). 

How to combine multiple coarse curves to obtain a fine one? The above paragraphs show how to 
obtain a coarse pair of output curves at a given granularity and prove their accurateness. We now propose 
to conduct multiple runs of analysis at different granularities gi, ...,g m , and show how to combine them 
to obtain a valid fine pair of output curves. The coarse output arrival curve at granularity gi is noted % gi 
(i = 1, ...,m) and we denote by l~ u and | L the optimal fine output arrival curves. Due to Lemma [IJ we 
have ll (k) > l u (k gi ) and < for k > 0. 

Therefore, a first approximation of t; u (resp. | L ) is to take the minimal (resp. maximal) obtained 
values for different granularities: V^omUned^) = m i n %/>«{^(^)}- this curve is not necessarily the 
tightest we can find. 

Suppose, for example, that we obtain output curves I2 and I3 after analyzing &c with g = 2, 3. We 
can get on |(1) some tighter bounds than the minimum of ^(l), ^(l) as follows. Let T = /b/i^--. 
denote the trace of the fine output stream, (fi denotes the production time of the i-th fine event £;), with 
to = 0. Recalling that | L (£) and £, u (k) are defined to be lower and upper bounds on the length of the time 
interval during which any k consecutive events are output, for any i > 0, we have | L (2) < ^+3 — < 
% u (2) and | L (3) < ^+3 — U < % u (3). We can thus derive constraints on time interval of length 1: 

| L (3) -l u (2) < t i+1 - ti < l u (3) -l L {2) 
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Hence, a better valid bound for the time interval between any two events is given by 

max{| i (l),| i (3)-r(2)},min{| t/ (l),r(3)-| i (2)}" 

Other linear constraints can be used to derive constraints in such a flavor. But, we actually use the 
causality closure algorithm given in [13 j which refine an arbitrary pair of curves to the optimal equivalent 
pair of curves (provided a slight adaptation of the algorithm for finite curves to work with pseudo-inverse 
of the curves). This algorithm is based on the notion of deconvolution, which is basically a generalization 
of the above example by taking all the possible values instead of just 2 and 3 as in the example. 

5 Application to Power Managed Components 

The systems we target to define an automatic translation from fine to coarse models are energy-aware, 
or "power-managed". They have different modes of operations, in which their performance and energy 
consumption are defined. Most computers and embedded systems today possess energy-saving modes; 
for example, CPUs can have dynamic voltage and frequency scaling (DVFS) and sensors in a network 
can switch their radio on and off. 

5.1 Models of PMC 

We consider power-managed components (PMC) as systems with different modes of operation, each 
mode owning a pair of service curves. The system can transit from a mode to another upon various 
conditions. The minimal requirements to model non-trivial systems is: 

(1) by receiving an explicit synchronization from another component 

(2) after a given timeout (typically, systems go to a hibernation state only after spending some time in 
an idle state), 

(3) when the buffer fill level exceeds a certain threshold (to switch to a resource-intensive one when 
the system is overloaded), 

(4) when the buffer fill level gets below a threshold (typically, go to an energy- saving state when the 
buffer is empty). 

Also, we need a way to force the system to stay in a given mode for a minimum amount of time (for 
example, to model a transition between two modes that physically takes some time). This is modeled by 
modifying the last two conditions to enable them only when the time spent in the current mode is greater 
than some constant. 

Graphical Syntax to Describe PMC. From these requirements, we define the class of automata M- 
TA, and give a graphical syntax for it. The description is based on an enumeration of modes, each mode 
Mi being associated with a pair of service curves = , I//- 7 ); it is restricted to how the PMC can 
evolve from mode to mode. To handle the events to be computed, we suppose that the PMC is equipped 
with a buffer at its entry. We note q the counter for the buffer fill level: in each mode M t it is constrained 
to be within some lower and upper bounds bf and bf. A mode Mi is also equipped with time constants 
L z , Ui which represent the lower and upper time the component can stay in the mode; we use the clock 
x to measure this time: it is reset when entering a mode and checked against the bounds when going 
out. Figure [6] shows a descriptive model of the PMC with all the possible mode changes ((1)..(4), using 
the same numbering as above). We believe that our work can be easily extended to other cases of mode 
switch. 
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' 1 (3) Li<x<Ui Aq <bf , , (4) L, < x < U t A q > bf ■ 

! M k ? M i ►! M i 



(2) 



[ Ml .T * ' 

Figure 6: M-TA: 4 kinds of transitions between modes 



Semantics of M-TA. Given a PMC described by a M-TA, we give its semantics in terms of the TA it 
represents. Using the same convention as before, a PMC receives events through the signal req? from 
the generator and emits produce! at its output. Internally, we translate the M-TA using two synchronized 
TA: the first, called Processing Element (PE), controls the mode switches and the second, called Service 
Model (SM) models the computation resources for each mode. The PE and the SM are strongly synchro- 
nized: the PE emits signals Syn^ ! whenever transiting from mode M t to mode Mj and the SM changes 
its behavior accordingly. The SM has the same discrete structure as the abstract syntax. It uses one 
instance of the generator described in section [2] per mode M; (i.e. per state), Generator^y/^ i//^,serv) 
which emits serv! whenever the PMC is able to process an event. This serv! signal is then transmitted 
to the PE, which decrements its backlog q and emits a produce! (received by the observer). 

Similarly, each time the PE receives an event to be processed via the signal req? (received from the 
generator that models the input arrival curves) this increments the backlog q. Before further detailing the 
implementation of the PE in terms of timed automata, we define a shortcut syntax for a state in Figure [7] 
The interval [b L ,b u ] specified on the state S means that the system can stay in S all along the buffer fill 
level q is within this range. The clock invariant x<U has the usual meaning. This shortcut enables the 
model to be complete with respect to the incoming events req? and serv?. 

REQ means: { req? q++; } 

SERV means: if (q>0) { serv? q-- \ produce! } else { serv? } 

Figure 7: Simplified notation of a state of the PE 

Figure [8] shows, for the PE, the translation of the 4 kinds of transitions of the M-TA in Figure [6] into 
plain TA; notice that it only expands the single mode M t . This mode is implemented with two states Si 
(initial state) and Sn. Si is added to ensure that the PE doesn't leave the mode before reaching its lower 
timing constraint I4. When x = L t , it is time to leave 5 f : either the exit condition on q (q > bf or q < bf) 
is already satisfied and the TA immediately switches to the corresponding mode (Mj or M&) or it transits 
to the state Sa . It can stay in Sn while q E [bf, bf] and x<Ui. Whenever q exceeds bf or falls below bf, 
it switches to a new mode (Mj or Mk). When the timeout Ui is reached, the transition to M p is forced by 
the invariant. In both Si and Sn, whenever the automaton receives a synchronization signal a?, it must 
immediately transit to M/. 

5.2 PMC Models at Coarser Granularity 

We now give the translation scheme from M-TAs to TA at granularity g for g > 1. This translation gives 
an abstraction of the original M-TA, which consumes and produces coarse events. Like in the previous 
section, we translate one PMC into two TA: the processing element (PE) and the service model (SM). 



[b L ,b u 





Figure 8: Fine TA model of the PE 



Coarse Service Model (SM). Changing the granularity for the SM is done by sampling the service 
curves like we did in section [4] It thus still uses one Generator^, |^,serv) of Figure [2] per mode M t 
but each mode is refined into two states. When a mode switch occurs, we do not know how many fine 
events have been emitted since the last coarse serv! in previous mode (but it has to be within the [0,g)). 
Arriving in the new mode Mu the SM has to wait for k more fine events before emitting the next coarse 
serv!, k being in (0, g] . As shown in Figure 10 we add a state S tra ns to capture this fact. The time the SM 
stays in this state is non-deterministically chosen within [i//f (1), \\ff {g)]\ it is measured by the clock x. 



Coarse Processing Element (PE). The coarse translation of the PE is given in Figure [9] using the 
notations introduced in Figure [7J The overall idea is the same as the fine model (Figure [8]), but the buffer 
fill level, here noted Q, now counts coarse events instead of fine events. The state Sa has been split 
into three states Sa, Si nc and Sjec whose meaning are given in the figure. This splitting is necessary 
because when the condition between two modes depends on a threshold bf or bf on the backlog q at fine 
granularity, if this threshold is not a multiple of g, then the actual transition of the fine PMC would occur 
between two coarse events. We note Y L and Y u (resp. H L and H u ) the smallest and greatest numbers 
of coarse events between which the fine threshold bf (resp. b\ ) can be reached. The explanation and 
the values on those constants are given Figure |5.2| We can therefore not determine precisely when a 
transition due to a threshold does occur in the fine PE, but we have to ensure in the coarse PE, due to 
the proof obligation [T] that it can occur at the same time as it would have in the fine PE. The coarse PE 
leaves the state Sa when one of the transitions to Mj or can occur, and the invariants on states Si nc and 
Sdec sa Y when the transition must occur. The management of synchronization events (a?) and timeout 
(x = Ui) is the same as in the fine model. For clarity, it is not drawn on the TA but described above. 



Validation. Due to the proof obligation [TJ we now have to prove that the proposed simple coarse PMC 
provides a correct abstraction of the fine PMC. 

Proof: let f = (h)hh--- be any fine input stream to the fine PMC and f = (?o)*i--- is the correspond- 
ing output stream. Firstly, we construct a coarse input stream T = (7o)7\72... with 7} = t g j for j > 0. It 
is clear that T can be refined to t, while T can be an input to the coarse PMC 2?c due to: 

v/ > k > 0, %u -k) = l L (g(j - *)) < hi - hk < l u (gU -*)) = Vi U - k) 

Then we show how to construct a coarse output stream T from corresponding to the input stream 
t and which is an abstraction of f : given the behavior of f, we build, by induction, the behavior T where 
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x = LiAQ>Y u Syriijl [Y L J U ] 




x = Li A Q < H L Syn ik \ [H L ,H U ] 



Coarse thresholds: Y L = [(bf + l)/g\ , Y u = \(bf + l)/g] , H L = [(bf - l)/g\ , H u = \(bf - \)/g\ 

Explanation on those values: let N r (resp. N s ) denotes the total number of coarse events req? (resp. 
serv?) received since the system started. Letn r (resp. n s ) denotes the corresponding total number of fine 
events. Q (resp. q) denotes the coarse (resp. fine) buffer fill level. At any time, we have the following 
constraints: gN r < n r < g(N r + 1) and gN s <n s < g(N s + 1). 

Since the fine and coarse buffer fill levels q and Q satisfy q = n r — n s and Q = N r — N s respectively, we 
deduce that g(Q —l)<q< g(Q+ 1). This implies that [q/g\ < Q < \q/g\ • When q is replaced with 
bf + 1 in the former inequation, it provides lower and upper bounds \Y L ,Y U ] on the value of Q. We can 
similarly derived the bounds [H L ,H U ]. 

Meaning of the states: S\ : same as Si in the fine PE. S[\ : the coarse backlog corresponds to a fine buffer 
fill level between bf and bf . S\ nc /S$ ec : in the fine PE, the buffer fill level may have reached bf /bf. 

Other transitions: 4 transitions labelled (a?,Synu!) from Si, Si nc , Sn, Sd ec to the mode Mi and 3 transitions 
labelled (x = Ui,Syn ip !) from Si nc , Sn, Sd ec to the mode M p . 

Figure 9: Simple coarse PE model 




Figure 10: Simple coarse service model 
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mode switches occur at the same time in the fine and the coarse PMCs. 

Firstly, when the system starts, both PMCs can enter the starting mode at the same time. Suppose 
now that the coarse output stream T has been constructed until the (A — l)-th event, for some A > 0, to 
be (f )7i...f A _i with 7) = t gj for all j E [0,A - 1]; and that both ^ and 8? c entered the mode Af,- at the 
same instant. 

Let the fine PMC leaves M; when the (gB + n)-th fine event produce! is processed, with n < g. 
Two cases can then happen: 

Case 1: B = A — 1. From the service model shown in Figure [lOj the time to generate the next coarse 
event serv? is lower and upper bounded by y/f (1) and yf{g) respectively. It covers all the possibility 
of what can happen in the fine service model. Hence, it is possible that the coarse PMC leaves M t at the 
same time as the fine one. 

Case 2: B > A — 1. In mode Mu we continue to construct T to be ...Ta-iTa-.-Tb, with fj = t g j for 
j E [A, B]. Similarly to the Case 1 above, we can show that Ta can be an output from We can 
also show that TA+\---t B can be an output from due to y/f (g(j — A)) < t g j — t g A < y/f (g(j — A)) 
and y/^(j - A) = y/f (g(j - A)), y/f - A)) = y/^(j - A). The coarse PMC is able to leave Af,- at the 
same time as the fine PMC. Indeed, as shown in Figure|9| may transit out from St nc (or Sd ec ) anytime 
before Q increases to Y u + 1 (or falls below H L — 1). Hence, it is possible that transits out at the 
same time as for the case of those transitions. In other cases of transiting out, the time to transit out 
is same for and which is equal to Lu U\ or the time receiving the synchronization signal a?. 

It is clear that the constructed coarse output stream T is an abstraction of the fine one f . Therefore, 
the proof obligation[T]is validated. 

Optimization of the coarse PMC model. This unoptimized model introduces non-determinism when 
mode changes occur. For example, if one knows that a mode change occurs when q = 12, with a granu- 
larity of g = 5, one can not capture in the coarse model the exact instant where q becomes equal to 12, 
but only the arrival of the second and third coarse events (T2 and T3), which correspond to q = 10 and 
q— 15. By reusing the information we have on the service and arrival curves at the fine granularity, we 
can get a better estimation than [T^,^] for the time at which the mode change occur. In the example, 
one can get a lower bound x for the time needed to get 2 more events in the buffer: % u says how fast 
the events can arrive, and y/ L says how fast the PMC processes them. We can compute the minimal time 
for which the difference between the number of events received and the number of events processed is 2. 
Similarly, we can get an interval [/ 5 , i e ] on the time between the mode change and the next coarse serv? 
event. In the TA model, this is implemented by forcing the automaton to remain in the old mode for x 
time units after receiving the second event, and to enable the transition for the first serv? only when the 
time spent in the mode is in [i s , i e \. 

We implemented two variants of this optimization in our prototype. The first introduces a counter CO 
and the corresponding coarse PMC is called &c-G>, and the second does all the complex computations 
on best and worst cases using this counter, and the corresponding coarse PMC is called ^c-opt. These 
optimizations considerably increase the precision of the analysis. They are detailed in |[T2l . but omitted 
here by lack of space. 

6 Experimental Validation 

Tools. To conduct experimentations on our framework, we applied the TA modeling and verification 
tool UPPAAL CORA L4|, to model TA and to analyze the output arrival curves by model checking. The 
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q > qo - 1 



q < 1 



Figure 11: M-TA model of the example PMC 
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Figure 12: An illustrated flow of the example PMC 

generators and observers are written once for all, but for the PMC, the M-TA translation into TA has still 
to be written by hand. Running the analysis at multiple granularities and the algorithm to combine the 
obtained curves into the tightest one is fully automated. 



An Example of PMC. We illustrate the approach with the fine and coarse models of a simple PMC 
illustrating a common behavior. It runs at two modes: "sleep" and "run". It only processes events and 
consumes energy in the "run" mode and switches to the power-saving "sleep" mode when its buffer is 
empty. To avoid switching back and forth between "run" and "sleep", the PMC waits until its buffer fill 
level q reaches a threshold qo before transiting from "sleep" to "run". Initially the input buffer is empty 



(i.e. q = 0). Figure 1 1 shows the model of this example PE in terms of M-TA. 



Result of the Analysis for the Example. We show the experiments conducted on the previous example 
where the threshold qo is set to 5 (i.e. the PMC starts to run when the number of fine events in the buffer 
reaches 5). We first apply the translation from the M-TA to TA presented above to get the coarse and fine- 
grain model. Notice that, since the M-TA doesn't exhibit all the cases of mode-changes, the translation 
can indeed be optimized manually (see H3). In Figure [I2j we take an example input stream and show 
its execution in the fine and coarse PMC models at granularity 3. It can be observed that the coarse PE 
always switches from Mo to M\ when it stays in Si nc and switches from M\ to Mo when it stays in Sdec- 
This illustrates how the non-determinism is introduced in the coarse model. 

We now comment the results of coarse output arrival curves when running the analysis at multiple 
granularities g = 2,3,4. First the input arrival curves t, and service curves \jr are sampled by taking the 
points of the curves having an abscissa multiple of g (an illustration is given in appendix |A.1| ). Then, 



14 



Granularity-based Interface Between RTC and TA 



output 
arrival 
curves 


analysis time at granularity g [sec] 


s = i 




g = 3 


8 = 4 


^0 






^c-opt 






^c-opt 






^c-opt 




23674.4 


56.1 


62.9 


223.6 


7.90 


12.9 


189.7 


0.76 


1.21 


28.6 




411515.3 


746.2 


583.2 


4217.7 


68.6 


120.9 


1465.4 


7.43 


12.5 


269.1 


distance 


/ 


4.17 


2.46 


0.63 


5.50 


2.88 


0.63 


9.08 


5.08 


1.25 



Table 1: Time to compute fine and coarse output arrival curves (|^, <f ' ), and the distance between coarse 

and fine curves, with distance mean {mean ( | L (gk) — ^g(k)),mean(^(k) — t; u (gk))) where mean is 
the average of all the elements for 1 < k < [24/ g\ . 



using the UPPAAL CORA tool, we analyze the minimum cost to reach the Stop state of the observer 
model, which gives the lower output curve %g(k) and use the variant of the observer shown in Figure 3 ^b) 

to compute cc u , which gives after pseudo-inversion. 

For granularity g = 4, we compare the output curves (|^, using the unoptimized PMC (I4 - 
CO, I4 7 -©) using the model with CO, 2?c-® and (I4 -opt, l^-opt) using the optimized PMC ^ c -opt, as 
shown in Appendix |A.2| It can be observed that 2?c-® helps to obtain tighter coarse output curves than 
g?c, which are further improved by ^c-opt. 

When analyzing the coarse output curves at each granularity, g = 2, 3, 4, obtained from the optimized 
coarse PMC ^c-opt, (|^, it can be observed that %g(k) provides a lower bound on £, L (gk) and 
%g(k) provides an upper bound on % u (gk); where (| L , t; u ) is the fine output curves computed from the 
fine PMC ^ (see Appendix |A3| ). 

Table [T] summarizes the analysis at multiple granularities by showing the total time to compute the 
fine and coarse output curves {^(k), %j/(k)) for g = 1,2,3,4 and/: < [24/gJ. It also shows the distance 
measured between coarse and fine curves. As expected, the three models 2?c, 2?c-® and ^c-opt allow 
a trade-off between performance and accuracy, being the fastest and less precise, and ^c-opt the 
slowest and most precise. The granularity g allows another trade-off: the coarsest models are the least 
precise ones and the fastest to analyze. 

Finally, we experiment that applying the causality closure 0, (quadratic algorithm), to the resulting 
curves give information that neither of the analysis would have given alone. For example, running the 
analysis with qo = 21 at granularities g = 9 and g = 10, we get |^(2) = 111 and %g(2) = 108, which 

trivially implies % u (10) < 108. Combining the curves and usi ng th e information provided by Q , we 
get the value 1^(10) = 102. The complete curve is in appendix A.3 



7 Conclusion 

In this paper, we have proposed a novel framework of granularity-based interfacing between RTC and 
TA performance models, which complements the existing work and reduces the complexity of analyzing 
a state-based component modeled by TA. We have illustrated the approach with an example which shows 
how the model of a component is abstracted to work with an event stream at coarse granularity. We did 
experiments that show how the abstraction is validated: they confirm that the precision of the results 
depends on a tradeoff with the analysis time. Indeed, the timing results show that the time to analyze 
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the coarse models reduces at least 99% of that for the fine models. Furthermore, using the results from 
multiple runs of analysis at different granularities, we also demonstrate how to obtain bounds on the 
arrival patterns of the fine output stream with a reasonable loss of precision. 

In future works, We aim at further characterizing the class of M-TA: from a theoretical point of view, 
we may compare it to some existing class, such as event count automata |8|; and from a practical point 
of view, we will go on checking if the expressivity of M-TA is enough to model more complex power- 
managed components. We also plan to adapt the granularity changes to other state-based models, namely 
the ones in Q. On the other hand, a more challenging perspective would be to work on new state-based 
abstraction techniques for analyzing the time and energy consumption of a component. 
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A Arrival and Service Curves 



A.l Input Curves 
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Figure 13: Example of fine and coarse input arrival curves and | 
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Figure 14: Example of fine and coarse service curves \\f L / u and y/3 
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A.2 Output Curves 
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Figure 15: Comparison of output arrival curves at g = 4 using simple coarse PMC £? c , coarse PMC with 
£0 0P c -<o and optimized PMC ^ c -opt 
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Figure 16: Comparison between fine and coarse output arrival curves computed from fine and optimized 
coarse PMC models respectively 
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A.3 Combined Output Curves 
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Figure 17: Computed fine upper output arrival curves |^-granu (with simple scheme) and |^-ref (with 
mathematical refinement algorithm) 



